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Abstract 

In the wiretap channel setting, one aims to get information-theoretic privacy of communicated data 
based only on the assumption that the channel from sender to adversary is noisier than the one from 
£N| | sender to receiver. The secrecy capacity is the optimal (highest possible) rate of a secure scheme, and 

the existence of schemes achieving it has been shown. For thirty years the ultimate and unreached 
goal has been to achieve this optimal rate with a scheme that is polynomial-time. (This means both 
encryption and decryption are proven polynomial time algorithms.) This paper finally delivers such 
a scheme. In fact it docs more. Our scheme not only meets the classical notion of security from the 
wiretap literature, called MIS-R (mutual information security for random messages) but achieves the 
strictly stronger notion of semantic security, thus delivering more in terms of security without loss of 
rate. 
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1 Introduction 



Introduced by Wyner, Csiszar and Korner in the late seventies [34|, 111], the wiretap channel is a setting 
where one aims to obtain information-theoretic security (privacy) of communicated data under the sole 
assumption that the channel from sender to adversary is "noisier" than the channel from sender to receiver. 
Researchers have shown that there is a maximum possible rate (ratio of message length to ciphertext 
length) for a secure scheme, called the optimal rate, and they have shown, through the probabilistic 
method, that there exist secure schemes with this rate. But these results are non-constructive. A 
question of great interest in this area is whether there is an explicit, secure scheme that is polynomial- 
time. (Meaning, there are polynomial-time algorithms for both encryption and decryption.) But this has 
remained open for 30 years. In this paper we finally resolve this question by providing such a scheme. 

However, we do even more. Our scheme achieves not only the classical notion of security from 
the wiretap literature but the stronger notion of semantic (equivalently, distinguishing) security of [3]. 
Furthermore our scheme is simple, efficient and modular. Unlike schemes from the I&C approaches, it 
makes only blackbox (meaning non-intrusive) use of error-correcting codes. Our scheme is obtained by 
combining methods from cryptography and coding theory. Let us now look at all this in some more 
detail. 

The wiretap model. The setting is depicted in Figure [TJ The sender applies to her message M a ran- 
domized encryption function £: {0, l} m — > {0, 1} C to get what we call the sender- ciphertext X <— $ £(M)0 
This is transmitted to the receiver over the receiver channel ChR so that the latter gets a receiver cipher- 
text Y <— $ ChR(X) which it decrypts via algorithm T> to recover the message. The adversary's wiretap 
is modeled as another channel ChA and it accordingly gets an adversary ciphertext Z <— $ ChA(X) from 
which it tries to glean whatever it can about the message. 

A channel is a randomized function specified by a transition probability matrix W where W[x,y] is 
the probability that input x results in output y. Here x, y are strings. Thus, for example, we regard 
the Binary Symmetric Channel BSC P with crossover probability p < 1/2 as taking a binary string x of 
any length and returning the string y of the same length formed by flipping each bit of x independently 
with probability p. For concreteness and simplicity of exposition we will often phrase discussions in the 
setting where ChR, ChA are BSCs with crossover probabilities pr,pa < 1/2 respectively, but our results 
apply in much greater generality. In this case the assumption that ChA is "noisier" than ChR corresponds 
to the assumption that pr < pa- This is the only assumption made: the adversary is computationally 
unbounded, and the scheme is keyless, meaning sender and receiver are not assumed to a priori share any 
information not known to the adversary. 

Requirements. The two requirements are decry ptability, also called decodability, and security. The first 
asks that the scheme provide error-correction over the receiver channel, namely lim^T^—^QQ Pr[2?(ChR(£(M))) 
7^ M] = 0. Security may be measured in various ways. A security metric xs associates to encryption 
function £ : {0, l} m — > {0, 1} C and adversary channel ChA a number Adv xs (£ ; ChA) that measures the 
maximum "advantage" of an adversary in breaking the scheme under metric xs, and we say that £ 
provides XS-security relative to ChA if lim^oo Adv xs (£; ChA) = 0. The central metric of the wiretap 
literature is mis-r (mutual-information security for random messages), defined via Adv mis ~ r (£; ChA) = 
I(M; ChA(£(M))) where M is uniformly distributed over {0, l} m and I is the mutual information. It was 
introduced by [26] |27] and strengthens the original metric of [3l] . The name is from [5] . 

Taking a cryptographic perspective, the latter point out that mis-r is weak because messages are 
assumed to be random. They introduce a semantic security (ss) metric following [15] that, roughly, 
asks that given the adversary ciphertext, the adversary cannot compute any function of the message with 
probability better than she could have without the adversary ciphertext. They show that this is equivalent 
to a strengthening of mis-r that they call mis security and also to a simpler and more convenient metric 
called distinguishing security (ds), also adapted from [15] . where the advantage is defined via 

Adv ds (£;ChA) = max 2 Pr[^(M , M 1 , ChA(£ (M b ))) = b] - 1 
A, Mo, Mi 

1 The notation y $ A(x) means that we run randomized function A on input x and denote the output by y. 
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Figure 1: Wiretap channel model. See text for explanations. 



where challenge bit b is uniformly distributed over {0, 1} and the maximum is over all m-bit messages 
Mo, Mi and all adversaries A. Since MIS, SS and DS are shown equivalent in [3] one can work with any 
of them, and our choice is DS. 

Practical interest in the wiretap setting is escalating |35|, 13]. and applications need DS-security rather 
than MIS-R security. Thus DS-security is the most desirable target. 

Previous work. In the Information and Coding (I&C) community, the wiretap setting has a literature 
encompassing hundreds of papers. (See the survey [23] or the book [3J.) The focus has been to show the 
existence of MIS-R-secure schemes with optimal rate. (The schemes are not required to be explicit, let 
alone polynomial time.) This optimal rate is called the secrecy capacity. In the case of BSCs, it equals 
the difference (1 — h^ipR)) — (1 — hiipA)) = ^2(pa) — h^ipit) in capacities of the receiver and adversary 
channels, where h%(p) = — plg(p) — (1 — p)lg(l — p) is the binary entropy. Non-constructive proofs of 
the existence of MIS-R-secure schemes with this optimal rate were given in [341 \TT\ [5] . A lot of work has 
followed aiming to establish similar results for other channels. 

Mahdavifar and Vardy [24^ [25] provide an explicit MIS-R-secure scheme with optimal rate, but they 
give no proof that decoding is possible for their scheme, even in principle let alone in polynomial time. 
The central open question in the wiretap channel community was whether there is a polynomial time 
(this means both encryption and decryption are polynomial time) MIS-R secure scheme with optimal 
rate. 

DS-security has upped the ante. The first question here is to determine this optimal rate. Since 
DS-security is stronger than MIS-R security, the optimal rate could in principle be smaller but (perhaps 
surprisingly), for a broad class of channels, it isn't. That is, the optimal rate is the same for DS and 
MIS-R security for a broad class of channels including symmetric channels. This follows by applying 
a result of [3], which shows that MIS-R implies MIS for certain types of schemes and channels, to the 
scheme of (MIES]. 

Polynomial-time DS-secure schemes were presented in [3] but their rate is not optimal. In summary, 
the most desirable goal here is to not only solve the long-standing open question from the wiretap 
community by giving a polynomial-time MIS-R-secure scheme with optimal rate but go further and give 
a polynomial-time DS-secure scheme with optimal rate. 

Our scheme. This paper resolves the above open problem, providing the first polynomial-time scheme 
that achieves DS (and hence MIS-R) security with optimal rate, meaning rate equal to the secrecy 
capacity. 

The scheme of [2U ESj is based on polar codes [2]. Our approach is modular and is able to use any 
ECC, so that we do not rely on the structure of specific ECCs. 

One might hope to build a scheme for the case where the receiver channel is noiseless and then add 
error-correction to meet the decoding condition with a noisy receiver channel. This does not work because 
the error-correction helps the adversary by reducing the noise over the adversary channel. The need to 
to couple security and decoding considerations in the design is one source of challenges. 

Our scheme is based on three main ideas: the use of invertible extractors; analysis via smooth min- 
entropy; and an adaption of the result of [3] saying that for certain types of schemes, DS-security on 
random messages implies DS-security on all messages. Section [5] overviews the technical approach, de- 
scribes the components and scheme in detail and proves DS security. 

We are stating asymptotic results for simplicity. Our proof will show a quantitative bound on ad- 
versary ds-advantage that decays exponentially with the security parameter. The scheme is also fairly 
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simple and efficient. Finally the claims (proven DS-security and decoding with optimal rate) hold not 
only for BSCs but for a wide range of receiver and adversary channels. 

A concrete instantiation. As a consequence of our general paradigm, we prove, for example, that 
the following simple scheme achieves secrecy capacity for the setting where ChR and ChA are BSCs with 
respective crossover probabilities p^ < pa < 1/2. Let E: {0, l} k — > {0, l} n be an error-correcting code 
which is efficiently decodable for the BSC with crossover probability pr, and such that k ~ (1 — h2(pR))-n 
(such ECCs can be built e.g. from polar codes [2] or from concatenated codes [H]). Our encryption 
function £ takes as input an m-bit message M, where m = b ■ t, b ~ {1i2{pa) — ^2(p,r)) ■ n, and t is a 
parameter of the scheme. It first chooses uniformly at random a A:-bit string A ^ k as well as t (k — 6)-bit 
strings R[l], R{t]. It then splits M into t 6-bit blocks M[l], M[t], and outputs 

£{M) = E(A) || E(A (M[l] || R[l})) \\ ■■■ \\ E(A (M[t] \\ R[t])) , 

where is multiplication of fc-bit strings interpreted as elements of the extension field GF(2 fc ). 

Related work. Appendix lAl surveys related to wiretap security. 

2 Preliminaries 

Basic notation and definitions. If s is a binary string then s[i] denotes its i-ih bit and |s| denotes 
its length. If S is a set then \S\ denotes its size. If x is a real number then \x\ denotes its absolute value. 
If s±, . . . ,si are strings then si|| • ■ ■ \\si denotes their concatenation. If s is a string and n a non-negative 
integer then s n denotes the concatenation of n copies of s. 

A probability distribution is a function P that associates to each x a probability P(x) G [0, 1]. The 
support SUPP(-P) is the set of all x such that P(x) > 0. All probability distributions in this paper are 
discrete. Associate to random variable X and event E the probability distributions Px, P x\E defined for 
all x by Px(x) = Pr [X = x] and Px\e( x ) = Pr [X = x | E]. We denote by lg(-) the logarithm in base 
two, and by ln(-) the natural logarithm. We adopt standard conventions such as OlgO = Olgoo = and 
PrfEilEy = when Pr[£y = 0. The function h: [0, 1] — > [0, 1] is defined by h(x) = — xlgx. The (Shan- 
non) entropy of probability distribution P is defined by H(P) = Y^ x h{P{ x )) an d the statistical difference 
between probability distributions P, Q is defined by SD(P; Q) = \P(x) — Q(x)\. If X, Y are random 

variables the (Shannon) entropy is defined by H(X) = H(Px) = ^2 X h(Px{x)). The conditional entropy is 
defined via H(X | Y = y) = h(P X \y= y (x)) and H(X \Y) = J2 y p ^iv) ■ H ( x I Y = v)- The statistical or 
variational distance between random variables Xi,X2 is SD(Xi;)<2) = SD(Px 1 ;Px 2 ) = I P r [^i = 

x] — Pr[X2 = x]\. The min-entropy of random variable X is H OC) (X) = max x Pr[X = x] and if Z is also a 
random variable the conditional min-entropy is Hoo(X|Z) = Pr[Z = z] max x Pr[X = x\Z = z\. 

Transforms, channels and algorithms. We say that T is a transform with domain D and range 
R, written T: D — > R, if T(x) is a random variable over R for every x G D. Thus, T is fully specified by 
a sequence P = {P x }x<=D of probability distributions over R, where P x (y) = Pr[T(x) = y] for all x G D 
and y G R. We call P the distribution associated to T. This distribution can be specified by a \D\ by 
\R\ transition probability matrix W defined by W[x,y] = P x (y)- A (randomized) algorithm is also a 
transform. Finally, an adversary too is a transform. 

Channels. A channel is, again, just a transform. In more conventional communications terminology, a 
channel Ch: D — )• R has input alphabet D and output alphabet R. 

If B: D — > Z is a channel and c > 1 is an integer we define the channel B c : {0, 1} C — > Z c by B C (X) = 
B(Jf[l])|| ••• ||B(A[c]) for all X = X[l] . . . X[c] G {0, 1} C . The applications of B are all independent, 
meaning that if W is the transition probability matrix of B then the transition probability matrix W c 
of B c is defined by W[X,Y] = W[X[1], Y [1]} • ... • W [X [c] , Y [c]] for all X = X[l]...X[c] G {0, 1} C and 
Y = Y[l] . . . Y[c] G Z c . We say that a channel Ch is binary if it equals B c for some channel B and some 
c, in which case we refer to B as the base (binary) channel and Ch as the channel induced by B. 

By BSC p : {0, 1} —> {0, 1} we denote the binary symmetric channel with crossover probability p 
(0 < p < 1/2). Its transition probability matrix W has W[x, y] = p if x ^ y and 1 — p otherwise for all 
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x, y E {0, 1}. The induced channel BSC^ flips each input bit independently with probability p. 

The receiver and adversary channels of the wiretap setting will have domain {0, 1} C , where c is the 
length of the sender ciphertext, and range {0, l} d , where the output length d may differ between the two 
channels. Such channels may be binary, which is the most natural example, but our equivalences between 
security notions hold for all channels, even ones that are not binary. 

If Chi: {0, 1} C1 -)• {0, l} dl and Ch2: {0, 1} C2 -)• {0, l} d2 are channels then Chl||Ch2 denotes the 
channel Ch: {0, l} c i+ c 2 {0, l} d ^+ d2 defined by Ch(xi||x 2 ) = Chl(xi)||Ch2(x 2 ) for all Xl E {0, l} Cl and 
x 2 E {0,1} C2 . 

Finally, we say that a channel Ch: D — >• R with transition matrix W is symmetric if the there exists 
a partition of the range as R = R\ U ■ • • U R n such that for all i the sub-matrix VF[-,i?j] induced by 
the rows in Ri is strongly symmetric, i.e., all rows are permutations of each other, and all columns are 
permutations of each other. 



3 Encryption and Semantic Security 

Our formalization of encryption functions and schemes, as well as their security, follows the approach 
of [3]. We briefly review the main tools, and refer the reader to [3] for further details. 

Encryption functions and schemes. An encryption function is a transform £ : {0, l} m ->■ {0, 1} C 
where m is the message length and c is the sender ciphertext length. The rate of £ is Rate(£) = m/c. 
If ChR: {0, 1} C — > {0, l} d is a receiver channel then a decryption function for £ over ChR is a transform 
T>: {0,1}^ — > {0, l} m whose decryption error DE(£;2?;ChR) is defined as the maximum, over all M E 
{0, l} m , of Pr[2?(ChR(£(M))) ^ M]. 

An encryption scheme £ = {f/dfcgN is a family of encryption functions where £}.: {0, l} m ( fc ) — \ 
{0, l} c ( fc ) for functions m, c: N — )■ N called the message length and sender ciphertext lengths of the 
scheme. Suppose ChR = {ChR^l^g^ is a family of receiver channels where ChR fc : {0, 1} C W {0,l} d( - k \ 
Then a decryption scheme for £ over ChR is a family D = {T>k}k&N where T>k'- {0, l} ^) — >■ {0, l} m ( fc ) is a 
decryption function for over ChR^. The decoding requirement, also called the decryption requirement, 
is that limfc^oo DE(£fc; ChR/%) = 0. The rate of £ is Rate(£) = Hindoo Rate(ffc). 

We say that a family {5fc}fc g N (eg- an encryption or decryption scheme) is polynomial-time computable 
if there is a polynomial time computable function which on input l k (the unary representation of k) and 
x returns Sk{x). Our constructs will provide polynomial-time computable encryption and decryption 
schemes. 

Semantic security. Let £: {0, l}' m — > {0, 1} C be an encryption function and let ChA: {0, 1} C — > {0, l} d 
be an adversary channel. Security depends only on these, not on the receiver channel. Following [3], in 
this paper we will target semantic security (ss) and distinguishing security (ds). We refer the reader to [3] 
for an in depth study of these notions, and their relation to entropy-based security metrics. 
Concretely, the ss advantage is defined as 

Adv ss (£;ChA) = max ^maxPr[^4(ChA(<S(M))) = /(M)] - maxPr[5(m) = f(M)]j , (1) 

where / is a transform with domain {0, l} m that represents partial information about the message. 
Moreover, the distinguishing advantage is 

Adv ds (£;ChA) = max 2PrL4(M ,Mi, ChA(£ (M b ))) = b] - 1 (2) 
A,Mo,Mi 

= max SD(ChA(£ (M )); ChA(£ (Mi))) , (3) 

where Pr[^l(Mo, Mi, ChA(£(Mt>))) = b] is the probability that adversary A, given m-bit messages Mq, Mi 
and an adversary ciphertext emanating from Mb, correctly identifies the random challenge bit b. We note 
that this advantage is equal to the statistical distance between the random variables ChA(£(Mo)) and 
ChA(£(Mi)). 
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We say that the encryption scheme £ = {£k}keN is SS-secure relative to ChA = {ChAfc}fc S N if 
linifc^oo Adv ss (£fc; ChA^) = 0. This does not mandate any particular rate at which the advantage should 
vanish, but in our constructions this rate is exponentially vanishing with k. Similarly, the scheme is DS- 
secure if lim/ c _ s . 0O Adv ds (£fc; ChA^) = 0. The following theorem, proved in [3], establishes the equivalence 
of SS- and DS-security. 

Theorem 3.1 [DS <-> SS] Let £: {0, l} m — > {0, 1} C be an encryption algorithm and ChA an adversary 
channel. Then Adv ss (£; ChA) < Adv ds (£; ChA) < 2 • Adv ss (£; ChA). I 



4 Seeded Encryption 

We introduce an extension of the standard wiretap setting where Alice, Bob, and Eve have access to a 
common random string S, called the seed, chosen honestly and randomly. This setting is interesting in 
its own right: One can think of the seed as being chosen once and for all when deploying an encryption 
scheme. More importantly, however, seeded encryption can be seen as an intermediate step towards 
building a regular (unseeded) encryption scheme, as we explain below. 

Seeded encryption. A seeded encryption function is a transform S£ : Sds x {0, l} 6 — > {0, l} n that takes 
a seed 5 G Sds and message M S {0, l} b to return a sender ciphertext denoted S£(S, M) or S£s(M), so 
that each seed S defines an encryption function S£s- {0, l} b — > {0, 1}™. Given a channel ChR : {0, 1}™ — >• 
{0, lY, a seeded decryption function ST> for S£ over ChR is a a transform SV : Sds x {0, l} e -)• {0, l} b . 
The decryption error DE(5£';5P; ChR) of S£, ST>, and ChR is defined as 



DE(S£;S£>;ChR) = E 



max Pr[SV(S,ChR(S£(S,M))) ^ Ml 
Afe{o,i} 6 



where the expectation is taken over the random choice of S. A seeded encryption scheme is a family 
S£ = {S£k}k£N- The rate Rate(5£) of a seeded encryption function S£ is defined as b/c, meaning the 
seed is ignored, and, accordingly, we let Rate(5£) = lim^oo Hate(S£k)- 

Distinguishing security for seeded encryption. We extend distinguishing security to the setting 
of seeded encryption. It is defined via a game where the adversary is first given the seed S <—$ Sds. 
It then outputs two messages Mo, Mi, and is subsequently given the encryption ChA(S£ s(Mb)) for a 
random bit b. Finally, it outputs a bit b', and wins the game if b = b'. As the adversary can choose 
the best pair of message Mo, M\ for each choice of the seed, the optimal strategy guesses the bit b with 
probability (1 + Adv ds (S<?s; ChA))/2 conditioned on a particular choice of the seed S. Therefore, the 
optimal adversary guesses b with probability 

1 + Adv ds (S£ s- ChA)) 



E 



1 E T Adv ds (5£s; ChA) 

— I : 

2 2 



where the expectations are over 5 drawn at random from Sds, and equality follows from linearity of 
expectations. Consequently, we define the ds advantage as 



Adv ds (S£; ChA) = E Adv ds (S£ s ; ChA) 

Similarly, one can extend the definition of semantic security to the setting of seeded encryption. 

Note that in the special case of one individual seed value, we obtain the special case of unseeded 
encryption given above. 

From seeded to unseeded encryption. We discuss how to generically transform any seeded encryp- 
tion function into a conventional (seedless) encryption function. This transformation is rate preserving, 
i.e., the rate of the resulting scheme is (asymptotically) the same as the one of the original seeded 
encryption scheme. 

The main idea behind our construction - which we call SR (for Seed Recycle) - is to encrypt multiple 
message blocks using the underlying seeded encryption scheme with the same seed, and combine the 
resulting encryptions in one single ciphertext. An error-corrected version of the seed is included the 
ciphertext to ensure decryption. If sufficiently many encryptions are combined into one ciphertext, the 
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Transform £{M): // M G {0, l} r 
S ^« Sds 

m[i], . . . , M[t] Am 

For i = 1 to t do 

C[i] <-»5f(5,M[t]) 
Ret E(5) || C[l] || • • • || C[t] . 



Transform P(C ||Ci): // C i {0,1}*° ,Ci G {0, l}" 1 

Cili],..,^!^! 

5 <- D(C ) 

For i = 1 to t do 

M[i] <-«SP(S,C[«]) 
Ret M[l] || • • • || Af [t] . 



Figure 2: Encryption from a seeded encryption. Encryption function £ = SR.[<S£, E], and associated 
decryption function V for the channel ChR = ChR || ChRf, where ChR : {0, l} e -> {0,1}'° and ChRi : 

{0, l} n -> {0, l} 4 . By X[l], . . . ,X[c] A A" we mean that bo-bit string X is split into 6-bit blocks. 



cost of including the seed is asymptotically vanishing, hence preserving the rate of the underlying seeded 
encryption. Moreover, no privacy must be guaranteed for the seed, as it can be made public, provided 
the underlying seeded encryption is DS-secure. 

More concretely, let S£ : Sds x {0, l} b — > {0, 1}™ be a seeded encryption function and let E : Sds — > 
{0, l} e be an efficiently computable injective function. For a parameter t > 1, the encryption function 
£ = SRt[«S£, E] takes as input a message M G {0, l} m , where m = t ■ 6, and splits it into t 6-bit blocks 
M[l], . . . , M\t\. It selects a random seed S <— $ Sds, and then encrypts the individual message blocks as 
C[i] = S£(S, M[i]). The final (e + t ■ n)-bit ciphertext consists of the concatenation of C[0] = E(5) and 
C[l], . . . , C[t}. The encryption function £ is described in Figure [2] for completeness. 

Decryption for SR. First, recall that a code is an injective function E : {0, l} k — > {0, l} e for 
k < e. Given a channel ChR : {0, l} 6 — > {0, 1} , a decoder for E over ChR is a an algorithm D : 
{0,1}' -> {0, l} fe . As in the case of decryption, its decoding error is defined as DE(E;D;ChR) = 
max Me{0il}fc Pr[D(ChR(E(M))) ^ M]. 

We assume that £ is used over a channel ChR = ChRo || ChR^ which operates by independently 
processing the first n ciphertext bits through a channel ChRo : {0, l} e — > {0, 1} and each subsequent 
n-bit block is sent (independently) through a channel ChRi : {0, l} n — > {0, l}' 1 . The goal of the function 
E is to operate as a code ensuring recovery of the seed. Therefore, for any function D : {0, 1} — > Sds, 
and decryption function ST> : Sds x {0, l}' 1 — > {0, l} n for S£ over ChRi, we specify the corresponding 
decryption function T> for £ over ChR as in Figure [21 The following lemma summarizes the relation 
between its decryption error and the ones of D and S£, and its proof follows by a simple union bound. 

Lemma 4.1 [Correct decryption of SR] Let t > 1, and let ChR = ChRo || ChR^ be such that ChRo : 
{0,l} e -»• {0,1}'° and ChRi : {0, l} n -> {0,1}*. Moreover, let S£ : Sds x {0, l} b -> {0, l} n ; SV : 
Sds x {0, l} £l -> {0, 1}\ E : Sds -»■ {0, l} e , and D : {0, 1}'° -»■ Sds. T/ien, /or f = SRt[5£, E] and the 
associated decryption function D as above using D, 

DE(£; V; ChR) < DE(E; D; ChR ) + t ■ BE(S£; SV; ChRi) . I 

We note that Lemma 14.11 can be extended to the case where the channels ChRo, as well as the t 
usage of ChRi, are not necessarily independent, provided they do behave individually as ChRo and ChRi, 
respectively. 

Security of SR. We now turn to proving that DS security of £ = SRt[«S£,E] can be reduced to 
DS-security of S£, at the cost of only a factor t loss in the security reduction. 

Lemma 4.2 [Security of SR] Let t > 1, and let ChA = ChA || ChA*i be such that ChA : {0, l} e -> 
{0,1}<> and ChAi : {0, l} n -> {0, l} e 'i . Moreover, let S£ : Sds x {0, l} b -> {0, l} n , E : Sds ->■ {0, \} e , 
and £ = SRf[5<5, E]. Then, 

Adv ds (f; ChA || ChA* x ) < t ■ Adv ds (S£; ChAi) . I 



S 



Transform Fj(X,S): // X G {0, , S G Sds 

Z[0] «-• ChA (E(S)) 

Mi[l],...,Mi[t] Am, 
Z[t] <- X 

For j = 1 to i, j ^ i, do 

C[j] <-tS£(S,Mi[j\y, Z[j] <-«ChAi(Cb]) 
Ret Z[0] || Z[l] || • • • || Z[t] . 



Figure 3: Proof of Lemma 14.21 Description of the transform Fj. 



Proof: The proof proceeds by a hybrid argument. To start with, let us fix two arbitrary m-bit messages 
M , Mi. Recall that m = t ■ b. For alH G [0 . . . t], let M f G {0, l} m be such that for all j 6 [1 . . . t], the 
j-th 6-bit block Mj[j] equals M\\j] if j < i, and M [j] otherwise. In particular, M = M and M t = M\. 
We let Xj = ChA(£ (Mj)), and by the triangle inequality, 

t 

SD(ChA(f(Af ));ChA(f(Mi))) = SD(X ;X 4 ) < £ SD(Xi_i;Xi) . 

i=l 

For convenience, let us introduce the shorthand Z(S,M) = ChAi(<S£ (5, M)). For all i G [l...t], we 
introduce the transform Fj : {0, l}^ 1 x Sds — > {0, l}^o+''^i described in Figure [3j Then, it is easy to verify 
that the outputs of Fj(Z(S, Mq[(]), S) and Fj(Z(S, Mi[z]), S) are distributed as Xj_i and Xj, respectively. 
Hence: 

SD(X<_i; Xi) = SD(F<(Z(S, M [i]), S); Fj(Z(S, Mi[i]), S)) 
<SD((Z(S,M [i]),S);(Z(S,Af 1 [i]),S)) 
< max SD((Z(S,M ),S);(Z(S,M0,S)) 

M^M(G{0,1} 6 



max E 5 ^sds [SD(Z(5,M );Z(S,M0)] 



< E5^$sds 



max SD(Z(5,M');Z(5,M()) 

M^,M{g{0,l} b 



= Adv ds (5«S;ChAi) , 

where the first inequality follows from the fact that SD(g(X); <?(Y)) < SD(X; Y) for all random variables 
X, Y, and all functions g. The final bound follows by maximizing over all Mo, Mi G {0, l} m . | 

An encryption scheme and its rate. In the asymptotic setting, we construct an encryption scheme 
£ = {£fc}fc<=N using the SR construction as follows: We start from an arbitrary seeded encryption scheme 
S£ = {S£k}k&i such that S£k ■ Sds^ x {0, — > {0, l} n ( fc ), as well as from family of injective 
functions E = {E fc } fceN with E k : Sds^ — > {0, l} e ( k \ Also let t : N — > N be a function such that 
e(k) = o(n(k) ■ t(k)). Often, letting t(k) = 0(log(n)) will be sufficient. Then, for all k G N, the 
encryption algorithm £ k : {0, -> {0, i}e(fc)+t(*>«(*) i s defined as £ k = SRt[S£ fc , E fc ]. 

We conclude by verifying that the rates of £ and S£ are indeed equal: 

fc^oo e(fc) + • ra(fc) 

= lnn W 

fc— »oo e(k)/t(k) + n(k) 

- lim — ttt" • lim 



k^-oo n(k) k-yoo 1 + e(k)/(t(k) ■ n(k)) 
Rate( ^ } • 1 + lim e(k)/(t(k) • n(fe)) = 

k— >oo 



9 



5 A DS- Secure Scheme Achieving Secrecy Capacity 



In this section, we turn to our main technical result, a seeded encryption scheme achieving DS-security. 
Its rate, for a large set of adversary channels, is optimal, meaning it equals the secrecy capacity. Using 
the SR construction from the previous section, our scheme yields an unseeded encryption scheme with 
optimal rate. 

5.1 The ItE Construction 

In the following, we present our generic construction of an encryption function, which we call ItE (Invert- 
then-Encode). Before giving any details, however, let us start with the high-level idea underlying our 
approach. For simplicity, let us focus on the case where ChR and ChA are BSC's with respective crossover 
probabilities pn < pa < 1/2. Let us also assume the goal is the simpler one of Alice and Bob agreeing 
on an n-bit key rather than transmitting a message. If we let the seed S E Sds be the seed for an 
extractor Ext: Sds x {0, l} k — > {0, l} m and given an error-correcting code E: {0, l} k — > {0, 1}™ for 
reliable communication over BSC Pfl , a natural approach consists of Alice sending E(i?), for a random 
fc-bit R, to Bob, via ChR, and both parties now derive the key as K = Ext(S,R). 

Proving that this approach works requires estimating H oc (i?|Z) = — lg(^ z m ax r Pt[R = r,Z = z]), 
where Z = BSC™ 4 (E(i?)) is the information received by Eve. Yet, it is not hard to see that that the 
most likely outcome, when Z = z, is that R equals the unique r such that E(r) = z, and that hence 
Hoo(i?|Z) = n ■ lg (1/(1 — Pa))i which is smaller than ^(pa) — ^(Pi?,), and which also upper bounds the 
length of the derived key K. To overcome this, we will observe the following: We can think of BSC PA as 
adding an n-bit vector E to its input E(it!), where each bit E[i] of the noise vector takes value one with 
probability pa- With overwhelming probability, E is (roughly) uniformly distributed on the set of n-bit 
vectors with hamming weight (approximately) PA' n and there are (approximately) 2 n ' ft-2 ( pA ) such vectors. 
Therefore, choosing the noise uniformly from such vectors does not change the experiment much, and 
moreover, in this new experiment, one can show that roughly H oc (i?|Z) > k — n ■ (1 — }i2{pa))- We will 
make this precise for a general class of symmetric channels via the notion of smooth min- entropy [29\. 

While both Ext and E can be instantiated so that the secret-key rate satisfies \K\/n ~ /^(pa) — ^(pr), 
which is the secrecy capacity, recall that our goal is way more ambitious: Alice wants to send an arbitrary 
message of her choice. The obvious way to do this is obtain a key K as above and then send K®M. 
But this at least halves the rate, which becomes far from optimal. Our approach instead is to use an 
extractor Ext that is invertible in the sense that given M and S, we can sample a random R such that 
Ext(S*, R) = M. We then encrypt a message M as E(i?), where R is a random preimage of M under 
Ext(S*, •). However, the above argument only yields, at best, security for a randomly chosen input. In 
contrast, showing DS-security accounts to proving, for any two messages Mq and Mi, that BSC™ A (E(i?o)) 
and BSCp A (E(i?i)) are statistically close, where Ri is uniform such that Ext(5, Ri) = Mj. To make things 
even worse, the messages Mq and Mi are allowed to depend on the seed. The main challenge is that such 
proof appears to require detailed knowledge of the combinatorial structure of E and Ext. In particular, 
we remark that it is not possible to provide a direct proof that the encryption of an arbitrary message is 
uniformly distributed, even in the simpler case where the message is seed-independent. In fact, for most 
codes, ciphertexts turn out not to be uniform at all. 

Instead, we will take a completely different approach: We prove a general result, of independent 
interest, which shows that any seeded encryption function with appropriate linearity properties is DS- 
secure whenever it is secure for randomly chosen inputs. This result is surprising, as random-input 
security does not, in general, imply chosen-input security. A careful choice of the extractor to satisfy 
these requirements, combined with the above idea, will hence yield a scheme achieving DS-security. 

(Invertible) Extractors. A function Ext: Sds x {0, l} fc — > {0, l} b is called a (h, a)-extractor (strong, 
average case extractor in the terminology of [12J) if SD((Ext(S, X), Z, S); (U, Z, S)) < a for all pairs of 
(correlated) random variables (X, Z) over {0, l} k x {0, 1}* with Hoo(X|Z) > h, where additionally S and 
U are uniform on Sds and {0, l} 6 , respectively. We will say that Ext is regular if for all S G Sds, the 
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Transform S£(S, M): 


II S G Sds, m G {0, l} b 


Transform SV(S,C): 


// c e {o, IV 


r^s {o,iy 




X <- D(C) 




X <- \rw{S,R,M) 




M <- Ext (5, X) 




Ret E(X) . 




Ret M . 





Figure 4: Seeded Encryption function S£ = ItEflnv, E] and associated decryption function SV. 



function Ext(S, •) is regular, meaning every point in the range has the same number of preimages. 

Recall that a function H: Sds x {0, l} fc -»■ {0, l} b is two-universal if Pt[H(S,X) = H(S,X')} < 2~ m 
for all distinct X, X' G {0, l} fc when S <— $ Sds. The following average-case version of the Leftover Hash 
Lemma (LHL) of [16], due to [12], implies that a two-universal function is an essentially-optimal extractor: 

Lemma 5.1 Let H: Sds x {0, l} k — > {0, l} b 6e a two-universal function. Let S 6e uniform over Sds. Let 
X, Z 6e random variables over {0, l} fe and {0, 1}* respectively, and let U be uniform on {0, l} b , independent 
of X, Z and S . Then, 

SD((#(S,X),Z,S);(U,Z,S)) < ly^-H-MZ) . | 

Specifically, this says that if is a (h, o)-extractor with h = b — 2 — 21go. 

Our approach will rely on extractors which can efficiently be inverted. We say that a function 
Inv : Sds x {0, l} r x {0, l} b ->■ {0, l} k is an inverter for an extractor Ext : Sds x {0, l} k ->■ {0, l} b if for all 
S G Sds and Y G {0, l} b , and for R uniform over {0, l} k , the random variable lnv(S', R, Y) is uniformly 
distributed on { X G {0, l} fc : Ext(5, X) = Y }, the set of preimages of Y under Ext (S, •). 

To make this concrete we give an example of an extractor with an efficiently computable inverter. 
Recall that fc-bit strings can be interpreted as elements of the finite field GF(2 fc ), allowing us to define 
a multiplication operator on fc-bit strings. Then, for Sds = {0, l} k \0 k , we consider the function 
Ext : {0, l} k x {0, l} k -> {0, l} b which, on inputs S G Sds and X G {0, l} fc , outputs the first b bits of 
X Q S. It is easy to see that Ext is regular if k is removed from the set of seeds. In Appendix [B] we 
prove the following using the LHL: 

Lemma 5.2 For all a G (0, 1] and all b < k — 2 lg(l/a) — 2, the function Ext is a (b + 2 lg(l/a) + 2, a)- 
extractor. 

An efficient inverter Inv : Sds x {0, l} k ~ b x {0, l} b — > {0, \} k is obtained by letting \nv{S,R,M) = 
S~ 1 Q(M II R) where S 1-1 is the inverse of S with respect to multiplication in GF(2 fc ). Invertible extractors 
were used in [7] but their setting was much simpler than ours and they achieve only security for random 
inputs. 

Encryption. We now describe the seeded encryption function of ItE. In the following, let Ext : 
Sds x {0, l} k — > {0, l} b be a regular extractor with inverter Inv : Sds x {0, l} r x {0, l} b {0, l} k . 
Also let E : {0, l} k — > {0, l} n be a function with k < n, later to be instantiated via an appropriate 
error-correcting code. The encryption function S£ = ItEflnv, E] is described in Figured] It applies the 
extractor inverter (with fresh randomness R) to the message M and the seed S to obtain an intermediate 
value X = \r\v(S,R,M), which is then encoded using E to obtain the ciphertext. 

Decryption. Given a channel ChR : {0, l} n — > {0,l} e , the goal of the function E in S£ above is to 
operate as an error-correcting code ensuring decrypt ability of the generated ciphertexts. Therefore, for 
any function D : {0, 1} — > {0, l} b , we can define the corresponding decryption function ST> for S£ over 
ChR as in Figured] The following lemma summarizes the relation between its decryption error and the 
one of D. 

Lemma 5.3 [Correct decryption] Let ChR : {0, l} n — > {0, l} e be a channel, and let S£ , SV, E, and 
D be as above. Then, DE(S£; SV; ChR) < DE(E; D; ChR). | 
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Security. Below, we discuss the security of ItE. Our approach consists of two steps: We first introduce 
a metric based on statistical distance capturing the random-message security of a seeded encryption 
function, and prove random-message security of ItE. Subsequently, we prove a general result showing 
that random-message security implies DS security in many scenarios, and apply it to ItE. 



5.2 Random-Message Security of ItE 

Random distinguishing-security. We now address the problem of proving security of ItE under 
random messages. To this end, we introduce a new security metric rds based on the statistical distance. 
Specifically, for a seeded encryption function S£ : Sds x {0, l} b — > {0, l} n and a channel ChA : {0, l} n — > 
{0, 1}*, we define the rds advantage as 

Adv rds (S£; ChA) = E [SD((ChA(«S£(5, U)), U); (ChA(<S£ (S, U')), U))] , 

where U and U' are independent 6-bit inputs, and the expectation is taken over the choice of the seed S. 
Below, we will prove that, surprisingly, RDS-security is often sufficient in order to infer DS-security of a 
seeded encryption function. 

RDS-Security for ItE. We now want to prove an upper bound on rds advantage for S£ = ItE[lnv, E], 
where Inv is the inverter of a regular extractor Ext. 

It is crucial to remark that the joint distribution of (X, U) is identical if we (i) sample a uniform 
random 6-bit message U, a random r-bit string R, and compute X <— lnv(5, R, U), or if instead (ii) we 
pick X uniformly at random, and then compute U Ext(S,X). But then, intuitively, we expect that X, 
when E(X) is sent through ChA, has sufficiently high min-entropy h in the eyes of the adversary, hence 
implying that if Ext is an (h, a)-extractor, 

Adv rds (S£; ChA) = E [SD((ChA(S£(S, U)), U); (ChA{S£(S, U')), U))] < a , 

since for any two transforms 7i,T2, SD((Ti(S), S); (T2(S),S)) = E [SD(Ti(£); T2 (£))], where the expec- 
tation is over the choice of S according to P$- In order to lower bound the entropy Hoo(X|ChA(E(X))) 
we will use the following observation: For a symmetric channel ChA, let H(ChA) = H(ChA(X)) for any 
input X. (The entropy H(ChA(X)) is the same, regardless of the input, since the rows of the transition 
probability matrix of ChA are all permutations of each other.) Then, we are going to prove that if we 
use the channel n times, each time to transmit a bit, then we can always see ChA as adding some noise 
whose distribution is statistically close to a noise distribution where all values are taken with probability 
at most 2 -nH ( ChA ). This is formalized via the notion of e-smooth min-entropy |29] of a distribution P, 
defined as 

H^(P) = max Hoo(Q) . 

Q:SD(P;Q)<e 

Analogously, we define H^ C (X) = H^ c (Px) for every random variable X with distribution Px- The 
following lemma, first shown by Holenstein and Renner |18| in a more general setting, states that the 
smooth min-entropy of multiple independent samples is, on average, nearly as large as the Shannon 
entropy of an individual sample. 

Lemma 5.4 [18J Let Xi, . . . ,X n be independent samples from a distribution P on a finite set X, and let 
5 > 0. Then, H^(Xi . . . X„) > n ■ H(P) -n-5, where 

e = e(S,n, \X\) = 2 aiPoxj+i) . | 

The RDS-security of S£ is then summarized by the following lemma. Interestingly, the lemma does not 
need any assumption on E, other than the fact that it is injective. 

Lemma 5.5 [RDS-security of ItE] Let 8 > and OutA C {0, 1}*. Also, let ChA : {0, 1} -> OutA be 
a symmetric channel and let S£ = ItE[lnv, E], where Inv is the inverter of a regular (k — n- (lg(|OuTA|) — 
H(ChA) + 5), a) -extractor, and E is injective. Then, 



Adv rds {S£ ; ChA n ) < 2 • 2 ^0^+5) + a . | 
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Process IIi: 

{o,i} b ; 

S^s Sds; R^${0,l} r 
X <- lnv(5,i2,M); 

C <- E(X) 

Z^$ChA n (C) 
Ret (Z,M,S). 


Process II2: 

M^${o,i} 6 ; 

5^$ Sds; R^${0,l} r 
X <- lnv(5,fl,M); 
C <- E(X) 

y ^$ChA n (O n ); Z <- 7rc(y) 
Ret (Z,M,S). 


Process II3: 

S^s Sds; {0,l} fc 
M <- Ext(S*,X); 
C <- E(X) 

y ^$ChA"(o n ) ; z <- ^(y) 

Ret (Z,M,S). 


Process II4: 

5^$ Sds; {0,l} fc 
M <- Ext(S,X); 
C <- E(X) 

Ret {Z,M,S). 


Process II5: 

Sds; X^s{0,l} fc 
M <— Ext(S,X); 
C <- E(X) 
M' ^${0, l} fe 

Ret (Z,M,S). 


Process rig: 

M^${0,1} 6 ; M' {0, l} 6 
S^sSds; i?^${0,l} r 
X <- \nv(S,R,M'); 
C <- E(X) 
Z^$ChA n (C) 
Ret (Z,M',S). 



Figure 5: Proof of Lemma 15. 51 Pseudocode description of the sequence of processes I±i to Uq. 



Proof: Recall that for two independent and uniform 6-bit strings U and U', 

Adv rds (cS£; ChA n ) = E s * S ds [SD((ChA"(S£:(S, U)), U); (ChA n (S£(S, U')), U))] 
= SD((ChA n (S£(S, U)), U, S); (ChA n (S£(S, U')), U, S) , 
where S is chosen uniformly at random on Sds. The proof proceeds by giving a sequence of intermediate 
random processes, described in pseudo-code in Figure O which will be used to transition from the random 
variable (ChA n (S£(S, U)), U, S) to the random variable (ChA n (S£(S, U')), U, S). For any two processes IT 
and IL, we let SD(nj;rLy) denote the statistical distance between their output distributions. 

The first three processes IIi,n2, and 1I3 are described on top of Figure Process IT samples a triple 
(Z,M,S) according to the probability distribution of (ChA n (5£(S, U)), U, S). The second process II2 
modifies the way in which Z is sampled: As the channel ChA is symmetric, there must exist a permutation 
7Ti : OutA -)■ OutA such that Pr[ChA(5) = tt b (Y)\ = Pr[ChA(0) = Y], where vr is the identity. 
Consequently, for all X G {0, l} ra , we define irx(Y) = (ftxii] (^[1])> • • • > 7r x[n](-^'[ n ]))) anc ^ 

Pr [ChA n (X) = tt x (Y)] = Pr[ChA"(0 n ) = Y] 

for all y G OutA™. Accordingly, to implement the channel ChA™ on input X in 1I2, we first sample 
y <— $ ChA n (0 n ), and then output Z = nx(Y)- For the third process II3, assume that we invert the 
role of X and M: that is, we first sample X uniformly at random in {0, l} fc , and then set M to equal 
Ext (5, X). By the regularity of Ext, the output distributions of 1I2 and LT3 are identical. Therefore, 

SD(n l5 n 2 ) = SD(n 2 ,n 3 ) = SD(n!,n 3 ) = o. 

In Process II4, we want to simplify the probability distribution of ChA™(0 n ) by computing its smooth 
min-entropy: Invoking Lemma [5.41 with ChA n (0 n ) lets us conclude that (for 5 as in the lemma statement) 

H^(ChA n (0 n )) > n • (H(ChA) - 8) 

for e = 2 2i g 2(|ouTA|+3) . R eca ll that this means that there exists a probability distribution P' on OutA™ 
such that SD(P ChA n(o«);P') < e and H 00 (P / ) > n ■ (H(ChA) — 5), or, equivalently, 

P'(Y) < 2" n '( H ( ChA )- 5 ) (4) 
for all y G OutA". Accordingly, we transition from Process II3 to Process 1I4 by sampling Y with 
respect to the probability distribution P'. Clearly, SD(Il3;Il4) < ST)(PchA n (o n ) ! P') — e - 
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Let now X, Y, Z be random variables representing the respective choices of X, Y and Z in LT4. Then, 

Hoo(XIZ) = -lg ( V max Pr[X = I A Z = Z] 
\ ^ ,xe{o,i} fc / 



max Pr[X = X]-Pr[Z = Z | X = X] 

xe{o,i} k 



> - If 



\ZgOutA" 
VzeOuTA" 

I V max Pr[X = X]-Pr[Y = 7Tp,Vx(Z) 
UoVtA"*^ 1 E(X) 

. 2 -fc . 2 -n(H(ChA)-5) I 

VzeOuTA™ / 



= - lg ^2 lg (l 0uTA ^ • 2- k • 2 -™( H ( ChA )- 5 )j =k — n- (lg(|OuTA|) - H(ChA) + 5) . 

In Process II5, instead of M, we then output an independent random value M'. Using the fact that Ext 
is a (k — n ■ (lg(|OuTA|) — H(ChA) + 5), a)-extractor, we directly obtain SD(n4;n 5 ) < a. We conclude 
by undoing the changes we had from Process LTi, coming back to the original choice of X, C, and Z, 
while still outputting M' instead of M. It is easy to see that SD(n5;ne) < e. 

The final bound in the lemma statement follows via the triangle inequality, by adding all distances 
between consecutive processes. I 



5.3 DS-Security of ItE 

As proven above, using invertible extractors with appropriate parameters is amenable to proving RDS- 
security. However, proving DS-security seems to require a better grasp of the combinatorial structure of 
Ext and Inv, as well as of the channel ChA. Interestingly, we now show that such requirement is quite 
minimal as a corollary of a more general result relating RDS- and DS-security, which we now explain. 

From RDS- to DS-security We first recall the following notions from [3j, adapted to the more general 
setting of seeded encryption: Think of a randomized seeded encryption function S£ : Sds x {0, l} b —> 
{0, l} n as a deterministic map {0, l} r x Sds x {0, l} b — > {0, 1}" , where the first argument takes the role 
of the random coins. We call S£ separable if 

S£(R, S, M) = S£(R, S, b ) S£(0 r , S, M) 

for all R € {0,l} r , S G Sds, and M G {0, l} b . Also, S£ is message linear if S£{W , S, •) : {0, l} b -> {0, l} n 
is linear for all S G Sds. 

We now state and prove the following lemma, which related RDS and DS security for seeded encryption 
functions when transmitting each ciphertext bit over a symmetric channel. 

Lemma 5.6 [RDS => DS] Let OutA C {0, 1}*. For any symmetric channel ChA : {0, 1} — > OutA, if 
S£ : Sds x {0, l} b — > {0, l} n is separable and message linear, then 

Adv ds (S£; ChA n ) < 2 • Adv rds (S£; ChA n ) . I 

An analogous version of this lemma for the simpler case of mutual-information security and unseeded 
encryption is given in [3J. Here, we extend their result to the setting of unseeded encryption and of 
DS-security. The proof of Lemma 15.61 will make use of the following technical statement from [3]. 

Lemma 5.7 [3j Let S£ : Sds x {0, l} b — > {0, l} n be separable and message linear, let ChA : {0, 1} — > 
OutA be a symmetric channel, and, for all S G Sds, let Ch^f ^ : {0, l} b — > OutA™ be the channel which 
on input M G {0, l} b outputs ChA(<S£ (S, M)). Then, Ch^s is symmetric for all S G Sds. 
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The proof of Lemma 15.61 centrally relies on the following fact: It states that for a symmetric channel 
Ch, the statistical distance between Ch(U) for a uniform random input U and Ch(M) is the same regardless 
of the choice of the input M. 

Lemma 5.8 Let Ch : {0, l} b — > Out be a symmetric channel. Let U be a uniformly distributed b-bit 
string. Then, there exists A(Ch) such that A(Ch) = SD(Ch(U); Ch(M)) for all M G {0, l} b . 

Proof: We partition the output set Out = Ui=i Out^ so that the sub-matrices W[-, OUTj] are strongly 
symmetric. By the definition of statistical distance, 

SD(Ch(U);Ch(M)) = - Y |Pr[Ch(U) = Y] — Pr[Ch(M) = Y]\ 

yeOuT 

= \T. E |Pr[Ch(U)=y]-Pr[Ch(M)=y]|. 

Fix some i £ [1 . . . r). Then, for all Y, Y' G OuTj, 

Pr[Ch(U) = y] = ^ Y, W[M,Y] = ± Y, W[M,Y'} = Pr [Ch(U) = Y'} , 
Me{o,i} b Me{o,i} b 
using the fact that the columns W[-, Y] and W[-, Y'\ are a permutation of each other. 

Then, in particular, with pi = Pr [Ch(U) = Y] for any Y G OuTj, we can rewrite the above as 

SD(Ch(U);Ch(M)) = ~£ Yl \Pi~W[M,Y]\. 

i=i yeOuT; 

However, since the rows W[M, OuTj] and W[M', OuTj] are permutations of each other for any two mes- 
sages M,M' G {0,1} 6 and for all % G [1 . . . r], it follows that SD(Ch(U); Ch(Af)) = SD(Ch(U); Ch(M')). 
I 

With both lemmas at hand, we can now turn to the proof of Lemma 15.61 
Proof of of Lemma 15. 61 We first observe that with Chs^s defined as in Lemma 15.71 

Adv rds (5£:; ChA") = E 5 <-s sds [SD((ChA™ (S£(S, U)), U); (ChA n (5f (S, U')), U))] 



E 



*-s„< Y SD(Ch <S£ , 5 (u , );Ch <s ^(M)) 

A/g{0,l} m 

= E s ^SDs[A(Ch l s £>5 )] , 
where the last equality follows from Lemma 15.81 On the other hand, by the triangle inequality, 



Adv ds (S£;ChA r 



= E5fS Sds 
= Eg ^ sds 
< Eg ^$ sds 



max SD(ChA n (SS(S, M )); ChA n (S£(S, Mi))) 

M ,Mi£{0,l} b 

max SD(Ch 5£i 5(Mo);Ch S£i s(Mi)) 

Mo.MieiO,!} 6 



max (SD(Ch S£iS (M ); Ch 5£ , s (U)) + SD(Ch 5£i5 (U); Ch 5e>s (Mi))) 

_M ,Mi£{0,l} b 

= 2-E 5 ^sds [A(Ch S£iS )] 
= 2 • Adv rds (S£; ChA n ) , 
which concludes the proof. I 

DS-Security of ItE. Coming back to the concrete case of ItE, we say that an extractor-inverter 
Inv : Sds x {0, l} r x {0, l} fe -> {0, l} k is output linear if lnv(S, r , •) is linear for all S G Sds. Moreover, 
it is separable if 

lnv(5, R, Y) = lnv(S, R, b ) \m(S, r , Y) (5) 

for all S G Sds, R G {0, l} r , and Y G {0, l} b . Note that the inverter for the above extractor based on 
finite-field multiplication is easily seen to be output linear and separable, by the linearity of the map 
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Y i — y S 1-1 X. Therefore, if we instantiate S£ = ItE[lnv, E] so that Inv is both output linear and 
separable, and we let the map E be linear, the encryption function S£ is easily seen to be message linear 
and separable. The following theorem now follows immediately by combining Lemma [5 .6\ and Lemma f5.5| 
and concludes our security analysis of ItE. 

Theorem 5.9 [DS-security of ItE] Let 5 > and OutA C {0, 1}*. Also, let ChA : {0, 1} -> OutA 
be a symmetric channel, and assume that Inv is the output-linear and separable inverter of regular {k — 
n ■ (lg(|OuTA|) — H(ChA) + 5), a) -extractor, and that E : {0, l} k — > {0, l} n is linear and injective. Then, 
for S£ = ItEflnv, E], 

Adv ds (S£; ChA n ) < 2 ^2 • 2 _ ^(^T5) + a \ | 

Below, we use this theorem to discuss how to instantiate Inv and E to achieve secrecy capacity. 
Moreover, we also discuss extensions of this result to a wider set of channels. 



5.4 Instantiating ItE 

We now devise a seeded encryption scheme S£ = {S£s} s ^ achieving secrecy capacity for the most 
common case where each ciphertext bit is transmitted over the receiver channel BSC PH and the adversary 
channel BSC PA , respectively, where < Pr < pa < \- Note that by the above, the secrecy capacity here 
is h 2 (pA) — h 2 (pR)\3 Using the SR construction above, S£ can be turned into an unseeded encryption 
scheme £ achieving secrecy capacity. In this case, the only known scheme [25J does not achieve security, 
not even against random-message adversaries. (A scheme achieving security whenever p R = was later 
given in the full version of |25j, but no scheme is known for the typical case where p R > 0.) 

The scheme. First recall that the (Shannon) capacity of a channel Ch : {0, 1}' — > {0, 1}* is 

C(Ch) = jmaxI(X;Ch(X)) . 

For example, C(BSC P ) = 1 — h^ijp). We need the following result (cf. e.g. [2] for a proof), which 
guarantees the existence of error-correcting codes achieving rate equal the capacity of a given channel. 

Lemma 5.10 |14j For any constants l,d > 1, and every channel Ch : {0,1}' — > {0, l} d , there exists 
a family E = {E<,} sG is} of linear codes E s : {0, l} fc ( s ) — >■ {0,1}™^ (where n(s) is a multiple of I), with 
corresponding decoding algorithms D s : {0, 1}* {0, l} k( - 8 ^ , such that (i) DE(E S ; D s ; Ch n(s)/ ') = 2- 0( >( s )) ; 
(ii) lim^oo k(s)/n(s) = C(Ch), and (Hi) E and D are polynomial-time computable. | 

To obtain our scheme via the ItE construction, we start with a family of codes {E s } se pj for BSC Pfl 
guaranteed to exist by Lemma f5. 101 where E s : {0, l} fc ( s ) — y {0, l} n ( s ) and lim^oo k(s)/n(s) = 1 — /^(Pi?), 
or, equivalently, there exists v such that is(s) = o(l) and k(s) = (1 — /^(Pi?) — K 5 )) ' n ( s )- Then, we 
let 5(s) = (21g 2 (5)) 1 / 2 • n(s)~ 1//4 and a(s) = 2~ n W 1 2 , and use the finite-field based extractor Ext s : 
{0, l} k ^ x {0, l} fc W {0, l} 6 ^ (with the corresponding inverter lnv s : {0, l} fc W x {0, l} fc ( s )" b ( s ) x 
{0, l} b( -^ {0,l} fc W), where 

b(s) = k(s) - n(s) ■ (1 - h 2 (pA) + 6(s)) + 2 lg(a) 

= (h 2 {p A ) - h 2 (p R ) - u{s) - 6(s) - 2 • n(s)- 1 / 2 ) ■ n(s) . 
We finally set S£ s = ItE[lnv s , E s ]. With these parameters, 

Adv ds (S£ s ; BSC;[ s) ) < 6 • 2~^& 
UE(S£ S ;SV S ; BSCf R s) ) < 2- e ^ 
by Theorem 15.91 and Lemma 15.31 respectively. The rate of S£ s is 

2 

Rate(S£ s ) = h 2 (pA) - h 2 {p R ) - u(s) - 5(s) == , 



2 Recall that if ChA : {0, 1} — ¥ {0, 1}* and ChR : {0, 1} — > {0, 1}* are symmetric channels, their secrecy capacity equals [22] 
H(U|ChA(U)) - H(U|ChR(U)), for a uniform bit U. 
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which yields 

Rate(5£) = lim Rate(5£ s ) = /^(pa) — ^(pr) ■ 

s— >oo 

If we now plug S£ into the SR construction, using t{s) = lg(n(s)), the resulting encryption scheme is 
exactly the one described in the introduction, where A = S~ l . 

Some remarks. We note that it is possible to instantiate the above scheme with error-correcting 
codes which fall short of achieving the channel capacity, provided their rate is still larger than (roughly) 
1 — /i2(pa) ( a s otherwise b(s) would become 0). In fact, this is clearly a necessary condition: A code 
with rate lower than 1 — /i2(j>a) may allow error correction when using it over BSC PA , hence allowing the 
adversary to reconstruct the message. 

Moreover, we point out that the same analysis can be carried out for any pair of (single input- 
bit) symmetric channels ChR and ChA, and the resulting rate is the secrecy capacity if the capacity of 
ChA : {0, 1} — > OutA is lg(|OuTA|) — H(ChA); this is the case if and only if a uniform input to ChA 
produces a uniform output. For other channels, our technique still yields good schemes which, however, 
may fall short to achieve capacity. 

5.5 Extensions 

We remark that the above presentation is constrained to single input-bit base channels for simplicity only. 
Our results can be extended to discrete memoryless channels with /-bit inputs for I > 1. For example, 
Lemma 15.51 extends to arbitrary symmetric channels ChA : {0, 1}' — > OutA, at the price of replacing n 
by n/l in the security bound and in the extractor's entropy requirement. In contrast, we do not know 
whether Lemma 15.61 applies to arbitrary symmetric channels with Z-bit inputs, but it does, for instance, 
extend to any channel of the form ChA(A) = X © E, where E is an /-bit string sampled according to an 
input-independent noise distribution, as discussed in [3]. 
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A Related Work 

This section surveys existing constructions of encryption schemes in the literature. Recall that given 
a pair of families of channels ChR = {ChR^I/^^ and ChA = {ChAjtl^gN (where ChA^ and ChR^ have 
common domain for all k G N), their weak secrecy capacity C w is the supremum of the rates achievable 
by pairs (£,T>) consisting of an encryption scheme £ = {£k}k<m and a decryption scheme V = {T>k}k<=N 
for £ and ChR such that, first, the decoding requirement is satisfied, i.e., 

lim DE(£ fc ;P fc ;ChR fc ) = . 

k— >oo 

and moreover, 

^ Adr—feChA.) 

fe— >oo k 

where Adv mis_r (£fc; ChAfc) measures MIS-R-security, as defined in [3]. We refer to the latter property 
as weak security. Additionally, the strong secrecy capacity C s < C w is obtained where we restrict the 
supremum over those schemes achieving MIS-R security, i.e., 

lim Adv mis - r (£ fc ; ChA fc ) = , (7) 

k— >oo 

Wyner |34j provided a full characterization of C w in the special case where ChA^ is a degraded version of 
ChRfc, i.e., such that there exists a transform T with To ChR^ = ChA/%, where the composition operator o 
is the straightforward generalization of function composition to randomized transforms. Wyner's result 
was later generalized by Csiszar and Korner [10 . These results were inherently non-explicit: That is, 
existence of secrecy-capacity achieving schemes is proven via the probabilistic method, and the resulting 
scheme is neither explicitly given, nor it is guaranteed to be efficient. In fact, to date, only a handful of 
efficient schemes are known. We briefly survey existing constructions. 

Syndrome and COSET coding. One particular approach, which dates back to Wyner's original pa- 
per |34j . in the setting where ChR is noiseless is a technique known as syndrome coding: Given a message 
M G {0, l} m and a matrix H G {0,l} mxk , Alice samples a random preimage R G {0, l} k such that 
H ■ R = M, and sends R to Bob. Wyner proved that there exists a good choice of the matrix H yielding 
weak security. This analysis was further improved and extended to the case where ChR is noisy (and H 
is applied to a codeword) by Cohen and Zemor [HI [9]. However, all of these schemes only achieve weak 
security. It is fair to mention that from a construction standpoint, syndrome coding bears some similitude 
with the extractor-inversion approach introduced Section [5] which we follow, specifically when the given 
extractor is the two-universal function based on matrix-vector multiplication (which can be shown to be 
efficiently invertible), even though this approach was not taken by these works, as they did not consider 
seeded encryption as a goal. Moreover, we stress that no existing proof implies MIS-R-security of these 
schemes, let alone DS-security. 

An alternative way to look at syndrome coding is as a special instance of a more general approach: 
One takes a (typically linear) code E : {0, l} k — > {0, l} n which is good for the channel ChR, and then, for a 
given message set {0, l} m , partitions the code C = { E(x) : x G {0, l} k } in 2 m sets as C = Um£{o i} m ^M- 
Encryption of M proceeds by selecting a random element of Cm ■ Usually, one lets Com be a linear sub- 
space of C, called the inner code (C is the outer code), and the sets Cm are the cosets in C/Co m - Further 
instantiations of this approach have been considered in |32t [30] , but only explicit schemes for a noiseless 
ChR and a binary erasure channel ChA have been obtained, and also only for MIS-R security. 
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Polar codes. A novel approach has been recently proposed by Mahdavifar and Vardy |25] and by Hof 
and Shamai [TT] (similar ideas also appeared in [201 [Q). They show that polar codes [2] can be used to 
directly build encryption schemes for the wiretap setting with binary-input symmetric channels. However, 
these schemes only provide weak security. The full version |24j of [25] provides a variant of the scheme 
achieving MIS-R-security, which can also be shown to achieve MIS-security (and hence DS-security) as an 
application of the techniques from [3]; yet, the scheme is only a proof-of-concept, as it is in particular not 
known how to decrypt its ciphertexts, not even inefficiently Also note that only recently a first solution 
to the question of efficiently generating polar codes has appeared |31j . which remains an open research 
direction, and hence relying on this specific code family may be somewhat problematic. Our solution, in 
contrast, works for arbitrary codes. 

Wiretap channel II. Ozarow and Wyner [28] also considered an alternative to the above wiretap setting 
(called the wiretap channel II) where ChR is noiseless, but at the same time, Eve can learn a fraction 5 
of the bits sent over ChR, and does not learn anything about the remaining (1 — 5) fraction. Solutions 
were presented relying on error-correcting codes |28|. 133] . Also, the notable work of [7] noted the such 
protocols with good parameters can be built from primitives such as deterministic randomness extractors 
for symbol-fixing sources with efficient inversion [19] . as well as from A;- wise independent functions [21] 
and related tools from exposure-resilient cryptography, such as all-or-nothing transforms [6} 113]. 



B Proof of Lemma 15.21 



Proof: Note that Ext is two-universal, as for all distinct X, X' £ {0, l} k , 



Pr 

< 



Pr [ S <-i Sds : Ext(S, X) = Ext(S, X') ] 

S^sSDS : 3R € {0, l} k - m \ {0 k ~ m } : S (X © X') = (0; R) 

2 k-m _ 1 1 

2 m 



E 



Pr [ S Sds : S (X © X') = (0; R) ] < 



Re{o,i} k - m \{o k - m } 



2 k -I 



since X © X' ^ fc , and hence there exists at most one S G {0, l} fc \ {0 k } with S (X © X') = (0; R) 
(and note that R ^ 0); we have additionally used that f^j ^ f f° r ah a < b. We finally apply the LHL 
(Lemma 15. 1|) to conclude the proof. | 
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